View PDF
Connections, Certificates and Authentication
Connections
- HTTP store
- HTTPS store
- NetScaler Gateway 10.5 and later
- Web Interface 5.4
Citrix Receiver for Windows can be connected to the VDA or an ICA session can be established on windows domain-joined machines, managed devices (local and remote with or without VPN) and non-domain joined machines.
Certificates
- Private (self-signed)
- Root
- Wildcard
- Intermediate
Private (self-signed) certificates
If a private certificate is installed on the remote gateway, the root certificate of the organization’s certificate authority must be installed on the user device to successfully access Citrix resources using Citrix Receiver for Windows.
Note
If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local Keystore.), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of apps is displayed but the apps cannot be launched.
Installing root certificates
For domain-joined computers, you can use Group Policy Object administrative template to distribute and trust CA certificates.
For non-domain joined computers, the organization can create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.
Wildcard certificates
Wildcard certificates are used on a server within the same domain.
Citrix Receiver for Windows supports wildcard certificates; however, they must be used in accordance with your organization’s security policy. In practice, an alternative to wildcard certificates is a certificate containing the list of server names with the Subject Alternative Name (SAN) extension is considered. These certificates are issued by both private and public certificate authorities.
Intermediate certificates
If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the NetScaler Gateway server certificate. For information, see Configuring Intermediate Certificates.
Authentication
Authentication to StoreFront
| Receiver for Web using browsers | StoreFront Services site (native) | StoreFront XenApp Services site (native) | NetScaler to Receiver for Web (browser) | NetScaler to StoreFront Services site (native) | |
| Anonymous | Yes | Yes | |||
| Domain | Yes | Yes | Yes | Yes* | Yes* |
| Domain pass-through | Yes | Yes | Yes | ||
| Security token | Yes* | Yes* | |||
| Two-factor (domain with security token) | Yes* | Yes* | |||
| SMS | Yes* | Yes* | |||
| Smart card | Yes | Yes | Yes | Yes | |
| User certificate | Yes (NetScaler plug-in) | Yes (NetScaler plug-in) |
*With or without the NetScaler plug-in installed on the device.
Note
Citrix Receiver for Windows 4.8 supports 2FA (domain plus security token) through NetScaler Gateway to the StoreFront native service.
Authentication to Web Interface
Citrix Receiver for Windows supports the following authentication methods (Web Interface uses the term Explicit for domain and security token authentication):
| Web Interface (browsers) | Web Interface XenApp Services site | NetScaler to Web Interface (browser) | NetScaler to Web Interface XenApp Services site | |
| Anonymous | Yes | |||
| Domain | Yes | Yes | Yes* | |
| Domain pass-through | Yes | Yes | ||
| Security token | Yes* | |||
| Two-factor (domain with security token) | Yes* | |||
| SMS | Yes* | |||
| Smart card | Yes | Yes | ||
| User certificate | Yes (NetScaler plug-in) |
*Available only in deployments that include NetScaler Gateway, with or without the associated plug-in installed on the device.
For information about authentication, see Configuring Authentication and Authorization in the NetScaler Gateway documentation and Manage topics in the StoreFront documentation.
For information about authentication methods supported by Web Interface, see Web Interface documentation.